FROM docker.io/library/node:22-slim

USER root

RUN apt-get update && apt-get install -y --no-install-recommends \
        git \
        ca-certificates \
        curl \
        openssh-client \
        build-essential \
        python3 \
        ripgrep \
        fd-find \
    && rm -rf /var/lib/apt/lists/* \
    && ln -s /usr/bin/fdfind /usr/local/bin/fd

# Install Claude Code CLI (latest stable).
# --ignore-scripts skips npm postinstall hooks for ALL packages in the
# dependency tree (defense-in-depth against malicious transitive
# postinstalls). Then run claude-code's own install.cjs explicitly —
# it's required to wire `/usr/local/bin/claude` (which is a symlink to
# `bin/claude.exe`) to the platform-native binary downloaded into
# `node_modules/@anthropic-ai/claude-code-linux-<arch>/claude`. Without
# this step the symlinked `claude.exe` is a no-shebang error stub that
# exec()s with ENOEXEC (issue #132).
RUN npm install -g --ignore-scripts @anthropic-ai/claude-code \
    && node /usr/local/lib/node_modules/@anthropic-ai/claude-code/install.cjs

# node:22-slim already has user node (1000:1000)
USER node
WORKDIR /workspace
